Email Security comes with a set of sensible default Rules. These defaults may be sufficient for your organisation, but we still recommend you familiarise yourself with them, in order to fully understand what's happening. There are defaults for both Message Rules and Connection Rules.

Many of the default Rules are System Rules. System Rules will be hidden, unless you set the View System Rules toggle to .

Default Connection Rules

Connection rules are used when a connection is made to EMS and before any email content is processed. If an email is rejected no message rules will apply.

Please don't make changes to these default Rules. If you do so, the amount of spam you receive will probably increase significantly.

System Rules

(Locked) DHA

The (Locked) DHA Rule checks whether a valid email address is configured in the Mailboxes section of the portal. If the email address is not configured, then the message is rejected.

(Default) Spamhaus

Commercially available blacklists of IP addresses known to send spam. This includes the XBL, SBL and PBL.

(Default) Spam RBL

Commercially available blacklists of IP addresses known to send spam

(Default) Invalid MX record

This rule will only be triggered if the MX record for the domain is invalid and EMS was unable to deliver.

Standard Rules

Maximum Mail Size

Automatically rejects emails above a certain size. The default is 50Mb, but you can easily change that limit.

Routing Loop detection

Detects mails that are in a possible loop based on the received header count. Values available from 25-32 hops.

Deny

The Deny Rule is used to block connections from address that are entered on the Global and personal Deny lists. It will block inbound and outbound email from and to those email addresses respectively.

Default Message Rules

System Rules

(Default) Signature Verification

Adds a header to the message (Authentication-Result) with the various pass or fail properties of the email.

(Default) DMARC Fail

This checks the DMARC result in the message's Authentication Result header (added by the Signature Verification Rule) for all inbound emails. When there is a failed DMARC result and sender domain has reject/quarantine in their published DMARC policy the email will be quarantined.

(Default) Invalid Sending Domain

Checks the sender domain for the presence of an MX record and host, and that the domain can be connected to. Also validates if the remote server responses to a Helo or ehlo command, within 10 seconds. Adds 110 to spam score if triggered.

(Default) CoreService Spam

Checks and classifies if the email is a known Spam and adds values to the spam score.

(Default) CoreService Malware

Checks and classifies the email as Malware detected by heuristic analysis adds values to the Virus score.

(Default) CoreService Phishing

Checks and classifies the email as a known Phishing attempt. These are Messages detected as phishing either by heuristic analysis or through a fraudulent link found in it. Adds values to the spam score.

(Default) Password Protected Attachment

Looks for password protected zip and PDF files, and adds a message header if such a file is found.

(Default) SWL Safe List

Completes a RBL lookup on the Safe List and if listed on whitelist then subtracts 100 from spam score.

(Default) System Malware Detection

Runs the email and attachments through commercial anti-virus engines for known malware and threats and adds 108 to the virus score.

(Default) Bit Defender AV

Runs the email and attachments through commercial anti-virus engines for known malware and threats and adds 110 to the virus score.

(Default) Blog Spam

Looks for known blog spam entries in body or subject and adds 110 to spam score if it finds any.

(Default) URL Scanner

Looks at URLs in the email and checks the reputation of those links using a subset of the LinkScan rule method.

(Default) DomainTools Threat Intelligence

Looks for known threat domains in all email addresses, and adds 110 to spam score if it finds any.

(Default) Automatically add outbound recipients to Personal Safe List

Disabled by default. This will automatically add the recipient email address to the personal safe list for outbound emails.

(Default) Email Banner

Disabled by default. Adds an email banner/stamp based on your branding.

Spoofed Messages

Executive Tracking

Nearby Domain

Detects senders using a domain similar to your own configured domains to appear as if it is an internal message. For more information see this article.

CoreService Suspect

Messages with a subject that may potentially cause financial or other damage will be caught by this filter. For instance, emails with content referencing money transfer or intended to obtain personal information.

Script and Executable Files

Looks for any of the following file types, and adds to the spam score if such a file is detected:

Binary Format Extensions

.msi.bin

If you wish to completely block Executable files then you can create a rule using the File Type condition with value Executable. The File Type condition will also unpack archives to find matching File Types.

LinkScan

Rewrites any URL links to use the linkscan.io service. For more information see this article.

High Reputation Marketing

Typically, this Rule catches email campaigns issued from a professional and known routing platform (ESP) that follow the rules of use for email advertising, by providing unsubscribe links, list cleaning, etc. Prefixes a subject line entry with [Marketing High].

Medium Reputation Marketing

This Rule will catch any advertising email that follow the rules of use of marketing email, but which was not sent through a well-known routing platform. The heuristic rules that catch these are predictive and generic. Prefixes a subject line entry with [Marketing Medium].

Low Reputation Marketing

Any other advertising campaign that does not comply with emailing rules by presenting poorly-organized content, non-compliance with CAN-SPAM, no unsubscribe link, etc. Adds 109 to the spam score.

SPF Fail

Adds to spam score for SPF FAIL message based on IP and SMTP connection sender domain and the sender domains SPF DNS records.

Confirmed Phishing

Quarantines any known phishing emails (as identified by the CoreService Phishing Rule).

Confirmed Spam

If the previous rules have raised the spam score to above the threshold specified, the message will be company quarantined into spam folder. No digest will be sent. This reduces the user administration as they are known spam emails.

Possible Spam

This rule works in much the same way as the Confirmed Spam rule, except it deals with emails that haven't reached a high enough level to be company quarantined, but which are above a set level for safety. Emails that reach this level and trigger on this rule and will be quarantined.

Deliver Inbound

This rule is locked and cannot be changed or disabled. Routes email to DomainRoute, no NDR is sent back outbound if the customer's email server rejects the message. The message will remain in the queue for 144 hours before the message expires.

Disclaimer

In order for this Rule to be triggered, the email has run through all the other Rules, and been considered safe. If you have a company-wide disclaimer that must be appended to the email, this Rule will add it. The Disclaimer rule is only created if a disclaimer has been added.

Deliver Outbound

This rule is locked and cannot be changed or disabled. Routes to MX records.An NDR will be sent to local sender if delivery fails, with an expiry of 4 hours.